On January 12, 2015, President Obama delivered a speech at the Federal Trade Commission during which he set forth several proposals, including the Personal Data Notification and Protection Act (the “Act”). The Act would institute a federal data breach reporting framework by requiring businesses that hold consumer data to issue alerts to those consumers within thirty days of a data breach.
Currently, almost every state has its own data breach notification law, which makes it confusing, costly, and difficult for businesses to issue all required notifications following a breach of personal data such as Social Security numbers and/or financial information. These state laws exist in addition to the requirements under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), meaning that if a business suffers a breach of information that includes both personal data and health information, it has multiple state and federal reporting obligations that may all differ slightly from one another. A national standard would clarify obligations in these circumstances and lower the costs of compliance, because businesses would only need to consider both HIPAA and the general federal framework.
President Obama explained that in the current data breach landscape, “it’s confusing for consumers, and it’s confusing for companies, and it’s costly too, to have to comply with this patchwork of laws.” For these reasons, the business community has been advocating for a national breach reporting standard, and the Act has received some preliminary support. For example, the National Retail Federation immediately voiced its support for President Obama’s proposal.
Finally, President Obama appealed to Congress to support the Act and other initiatives he proposed by explaining that “protecting our information and privacy in the information age, this should not be a partisan issue.”